What Companies Are Actually Paying for Application Security
In the Application Security Testing (AST) market, Static Application Security Testing (SAST) and Software Composition Analysis (SCA) represent the two most critical pillars of preventative cyber defense.
So as a part of that, we should talk about the thing that people normally can’t or don’t talk about and that is cost. Vendors like to hide their pricing behind “contact sales” buttons, and buyers end up negotiating based on hard to find information.
So here’s an unofficial look at what companies are actually paying, pulled from a Deep Research report provided by Gemini. At the very end there is a list of resoruces where you can learn more about these subjects. However it is important to mention, there are not a lot of viable options for the home/hobby market.
What the Market Looks Like
| Vendor | Average Mid-Market / SMB Spend (Annual) | Average Large Enterprise Spend (Annual) | Economic Dynamics and Negotiation Factors |
|---|---|---|---|
| Snyk | ~$47,428 | ~$222,516 | Costs scale rapidly with developer headcount. Highly susceptible to volume discounting. Total cost includes separate quoting for onboarding and services. |
| Black Duck (Coverity) | $60,000 – $120,000 (50-100 devs) | $150,000 – $300,000+ (150+ devs) | Full platform deployments (SAST + SCA) often range from $300k to $600k+. Volume discounts and custom enterprise agreements are typical. Premium support adds 20-30%. |
| Checkmarx | $35,000 – $75,000 | $100,000 – $250,000+ | Pricing is considered complex. Hidden costs include mandatory professional services, premium support, and infrastructure overhead, adding 15-35% to year-one totals. |
| Veracode | $40,000 – $80,000 | $100,000 – $250,000+ | Application-based pricing feels predictable until microservice architectures cause application counts to explode. Discounts are heavily available for SAST+DAST+SCA bundles. |
| SonarQube | $30,000 – $50,000 (up to 5M LOC) | $80,000 – $180,000 (5M - 20M+ LOC) | Highly predictable LOC model. However, self-managed deployments incur separate infrastructure and administrative overhead costs not reflected in the software license. |
| HCL AppScan | $50,000+ | $100,000 – $500,000+ | Unified platform pricing for large deployments can easily exceed $1M. Implementations often require months of setup and heavy professional service fees. |
Official Licensing Models and Published Structures
| Vendor / Platform | Primary Pricing Metric | Published Entry-Level / Standard Tier Pricing | Enterprise Pricing Status | Key Inclusions & Pricing Caveats |
|---|---|---|---|---|
| Snyk | Per Contributing Developer | Team Tier: ~$52–$98 per developer/month ($624–$1,176/year). | Custom / Unpublished | Includes Snyk Code (SAST) and Open Source (SCA). Enterprise plans drop per-seat costs at high volume but require minimum seat counts. |
| SonarQube | Lines of Code (LOC) Analyzed | Developer Edition: ~$15,000 for 1M LOC. Smaller tiers available (e.g., ~$2,500 for 100k LOC). | Annual Pricing; Talk to Sales | Prices scale strictly by the largest branch of private projects. Enterprise Edition adds legacy languages. Advanced Security is an add-on. |
| GitHub Advanced Security | Per Active Committer | $19/user/month (Secrets) + $30/user/month (Code) = $49/user/month. | Custom / Add-on to Enterprise ($21/user base) | GHAS is strictly an add-on to the GitHub Enterprise plan. Tied directly to commit activity within a 30-day window. |
| Mend.io | Per Contributing Developer | AppSec Platform: Up to $1,000 per developer/year. | Included in upper bound limit | Includes SAST, SCA, Renovate, and AI Inventory. No limits on LOC, scans, or applications. AI Premium is an extra $300/dev. |
| Checkmarx | Custom (Historically Per App or Node) | Team Plans: ~$1,188/year base. Enterprise base starts ~$6,850/year. | Custom / Unpublished | Highly modular pricing based on developer count, module selection (SAST, SCA, DAST), and deployment model. |
| Veracode | Per Application or Per Scan | Basic plans start at ~$15,000/year for up to 100 applications. | Custom / Unpublished | Pricing heavily depends on application count, scan frequency, and support levels. SCA alone starts around $12,000/year. |
| Black Duck (Coverity) | Per Team Member / Custom | Coverity SAST: $800–$1,500 per team member annually. | Custom / Unpublished | Pricing scales with user access. Often bundled. Perpetual licenses with 18-22% annual maintenance fees exist for legacy deployments. |
| Contrast Security | Custom (GiB hour / usage) | Essential tier: $119/mo. Advanced: $359/mo. Enterprise base ~$6,850/yr. | Custom / Unpublished | Pricing varies by package (AST vs. Contrast One managed service) and workload throughput. |
| HCL AppScan | Per Scan / Enterprise License | SaaS: ~$313 per scan (min 5 scans). Basic Codesweep: $29.99/scan. | Custom / Unpublished | Enterprise suite pricing is highly customized, often requiring significant upfront capital expenditure. |
Feature Comparison
| Feature / Capability | Snyk | Veracode | Black Duck | Checkmarx | Mend.io | GitHub (GHAS) | SonarQube | Endor Labs |
|---|---|---|---|---|---|---|---|---|
| Primary Strength | Developer Adoption & Speed | Enterprise Governance & Low FPs | License Compliance & Deep SAST | Unified ASPM & Repo Scanning | Automated Remediation | Native Ecosystem Integration | Code Quality & Baseline Security | Noise Reduction & Reachability |
| Reachability Analysis | Basic | No | No | No | Advanced | No | No | Full-Stack (95% reduction) |
| Automated AI Fixes | Yes (DeepCode) | Yes (Proprietary Data) | No | Yes (Limited IDE) | Yes | Yes (Copilot) | Yes (CodeFix) | Yes (Without upgrades) |
| Compilation Required | No | Yes (Binary) | Yes (Coverity) | No | No | No | No | No |
| Broad Language Support | High (14+) | Very High (100+) | High (22+) | High (35+) | Very High (200+) | Moderate | High (40) | Moderate |
| License Compliance | Moderate | Moderate | Enterprise-Grade | Moderate | Enterprise-Grade | Basic | Basic | Moderate |